Lookout - Critical Audit and Policy Changes v2
| Id | 6b2d4e8a-5f7c-4b9e-8a1d-3c5e7a9b2f4d |
| Rulename | Lookout - Critical Audit and Policy Changes (v2) |
| Description | Monitors critical audit events and policy changes from Lookout Mobile Risk API v2. Detects unauthorized configuration changes, policy modifications, security setting adjustments, and administrative actions that could impact mobile security posture. Provides comprehensive audit trail for compliance and security governance. |
| Severity | Medium |
| Tactics | DefenseEvasion Persistence PrivilegeEscalation Impact |
| Techniques | T1629 T1626 |
| Required data connectors | LookoutAPI |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutAuditEventV2.yaml |
| Version | 2.0.3 |
| Arm template | 6b2d4e8a-5f7c-4b9e-8a1d-3c5e7a9b2f4d.json |
LookoutEvents
| where EventType == "AUDIT"
| where AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE", "USER_MANAGEMENT", "CONFIGURATION_CHANGE")
| extend
ChangeImpact = case(
AuditType == "POLICY_CHANGE", "High",
AuditType == "SECURITY_SETTING_CHANGE", "High",
AuditType == "USER_MANAGEMENT", "Medium",
AuditType == "CONFIGURATION_CHANGE", "Medium",
"Low"
),
RiskLevel = case(
ActorType == "SYSTEM" and AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE"), "Automated Change",
ActorType == "ADMIN_USER" and AuditType == "POLICY_CHANGE", "Administrative Change",
ActorType == "USER" and AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE"), "Unauthorized Change",
ActorType == "UNKNOWN", "Suspicious Change",
"Standard Change"
)
| extend SecurityImplications = case(
AuditAttributeChanges has "threat_response_level" and AuditAttributeChanges has "LOW", "Threat Response Weakened",
AuditAttributeChanges has "auto_quarantine_enabled" and AuditAttributeChanges has "false", "Auto-Quarantine Disabled",
AuditAttributeChanges has "compliance_enforcement" and AuditAttributeChanges has "false", "Compliance Enforcement Disabled",
AuditAttributeChanges has "device_wipe_enabled" and AuditAttributeChanges has "false", "Device Wipe Disabled",
AuditAttributeChanges has "admin" or AuditAttributeChanges has "privilege", "Privilege Changes",
"Configuration Update"
)
| extend ComplianceRisk = case(
SecurityImplications in ("Threat Response Weakened", "Auto-Quarantine Disabled", "Compliance Enforcement Disabled"), "Critical",
SecurityImplications == "Device Wipe Disabled", "High",
SecurityImplications == "Privilege Changes", "High",
RiskLevel == "Unauthorized Change", "High",
RiskLevel == "Suspicious Change", "Medium",
"Low"
)
| extend ChangeDetails = case(
isnotempty(AuditAttributeChanges), strcat("Attribute changes: ", tostring(AuditAttributeChanges)),
isnotempty(TargetGuid), strcat("Target: ", TargetType, " (", TargetGuid, ")"),
"General audit event"
)
| project
TimeGenerated,
EventId,
AuditType,
ChangeImpact,
RiskLevel,
SecurityImplications,
ComplianceRisk,
ChangeDetails,
AuditAttributeChanges,
ActorType,
ActorGuid,
TargetType,
TargetGuid,
TargetEmailAddress,
ChangeType,
EnterpriseGuid
relevantTechniques:
- T1629
- T1626
entityMappings:
- entityType: Account
fieldMappings:
- columnName: ActorGuid
identifier: FullName
- columnName: TargetEmailAddress
identifier: Name
- entityType: Host
fieldMappings:
- columnName: TargetGuid
identifier: HostName
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 2.0.3
suppressionDuration: PT30M
id: 6b2d4e8a-5f7c-4b9e-8a1d-3c5e7a9b2f4d
suppressionEnabled: false
severity: Medium
kind: Scheduled
queryFrequency: 15m
description: |
'Monitors critical audit events and policy changes from Lookout Mobile Risk API v2. Detects unauthorized configuration changes, policy modifications, security setting adjustments, and administrative actions that could impact mobile security posture. Provides comprehensive audit trail for compliance and security governance.'
requiredDataConnectors:
- connectorId: LookoutAPI
dataTypes:
- LookoutEvents
triggerOperator: gt
name: Lookout - Critical Audit and Policy Changes (v2)
tactics:
- DefenseEvasion
- Persistence
- PrivilegeEscalation
- Impact
alertDetailsOverride:
alertDescriptionFormat: '{{AuditType}} by {{ActorType}} with {{ComplianceRisk}} risk'
alertTacticsColumnName: SecurityImplications
alertSeverityColumnName: ComplianceRisk
alertDisplayNameFormat: 'Critical Audit Event: {{SecurityImplications}} by {{ActorType}}'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutAuditEventV2.yaml
triggerThreshold: 0
queryPeriod: 1h
query: |
LookoutEvents
| where EventType == "AUDIT"
| where AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE", "USER_MANAGEMENT", "CONFIGURATION_CHANGE")
| extend
ChangeImpact = case(
AuditType == "POLICY_CHANGE", "High",
AuditType == "SECURITY_SETTING_CHANGE", "High",
AuditType == "USER_MANAGEMENT", "Medium",
AuditType == "CONFIGURATION_CHANGE", "Medium",
"Low"
),
RiskLevel = case(
ActorType == "SYSTEM" and AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE"), "Automated Change",
ActorType == "ADMIN_USER" and AuditType == "POLICY_CHANGE", "Administrative Change",
ActorType == "USER" and AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE"), "Unauthorized Change",
ActorType == "UNKNOWN", "Suspicious Change",
"Standard Change"
)
| extend SecurityImplications = case(
AuditAttributeChanges has "threat_response_level" and AuditAttributeChanges has "LOW", "Threat Response Weakened",
AuditAttributeChanges has "auto_quarantine_enabled" and AuditAttributeChanges has "false", "Auto-Quarantine Disabled",
AuditAttributeChanges has "compliance_enforcement" and AuditAttributeChanges has "false", "Compliance Enforcement Disabled",
AuditAttributeChanges has "device_wipe_enabled" and AuditAttributeChanges has "false", "Device Wipe Disabled",
AuditAttributeChanges has "admin" or AuditAttributeChanges has "privilege", "Privilege Changes",
"Configuration Update"
)
| extend ComplianceRisk = case(
SecurityImplications in ("Threat Response Weakened", "Auto-Quarantine Disabled", "Compliance Enforcement Disabled"), "Critical",
SecurityImplications == "Device Wipe Disabled", "High",
SecurityImplications == "Privilege Changes", "High",
RiskLevel == "Unauthorized Change", "High",
RiskLevel == "Suspicious Change", "Medium",
"Low"
)
| extend ChangeDetails = case(
isnotempty(AuditAttributeChanges), strcat("Attribute changes: ", tostring(AuditAttributeChanges)),
isnotempty(TargetGuid), strcat("Target: ", TargetType, " (", TargetGuid, ")"),
"General audit event"
)
| project
TimeGenerated,
EventId,
AuditType,
ChangeImpact,
RiskLevel,
SecurityImplications,
ComplianceRisk,
ChangeDetails,
AuditAttributeChanges,
ActorType,
ActorGuid,
TargetType,
TargetGuid,
TargetEmailAddress,
ChangeType,
EnterpriseGuid
status: Available
customDetails:
ActorType: ActorType
SecurityImpact: SecurityImplications
AuditType: AuditType
ComplianceRisk: ComplianceRisk
ChangeImpact: ChangeImpact
TargetType: TargetType
ChangeType: ChangeType
RiskLevel: RiskLevel
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: Selected
groupByEntities:
- Account
groupByCustomDetails:
- SecurityImpact
- ComplianceRisk
- ActorType
groupByAlertDetails:
- AuditType
- ActorGuid
reopenClosedIncident: false
enabled: true
lookbackDuration: P1D